Skip to content

[v9.x backport] backport 18607, 18953 #19194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
lpinca wants to merge 25 commits into from
Closed

[v9.x backport] backport 18607, 18953 #19194

Changes from 1 commit
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
819ff1a
deps: cherry-pick 46c4979e86 from upstream v8
bnoordhuis Feb 21, 2018
62dc43d
src: clean up process.dlopen()
bnoordhuis Feb 22, 2018
86fa308
src: make process.dlopen() load well-known symbol
bnoordhuis Feb 22, 2018
6bd8c10
build: fix gocvr version used for coverage
mhdawson Mar 2, 2018
a3b9542
module: fix cyclical dynamic import
bmeck Feb 23, 2018
57ddfd1
doc: add simple example to rename function
punteek Feb 16, 2018
6ad9be0
doc: new team for bundlers or delivery of Node.js
mhdawson Mar 2, 2018
dc25929
deps: cherry-pick 0bcb1d6f from upstream V8
jakobkummerow Dec 5, 2017
d268061
doc: add introduced_in metadata to _toc.md
Trott Mar 4, 2018
15281b0
doc: update cc list
BridgeAR Mar 2, 2018
83c912a
doc: remove tentativeness in pull-requests.md
Trott Mar 4, 2018
7861df9
doc: remove subsystem from pull request template
Trott Mar 4, 2018
d6153e9
src: refactor GetPeerCertificate
danbev Mar 2, 2018
0b22bab
src: use std::unique_ptr for STACK_OF(X509)
bnoordhuis Mar 2, 2018
7448712
test: move require http2 to after crypto check
danbev Mar 3, 2018
4829469
src: #include <stdio.h>" to iculslocs
srl295 Mar 5, 2018
c89e8f3
perf_hooks: fix timing
TimothyGu Feb 25, 2018
c81a391
test: add more information to assert.strictEqual
ryzokuken Mar 6, 2018
03784d7
src: handle exceptions in env->SetImmediates
jasnell Jan 26, 2018
6e1bed1
src: prevent persistent handle resource leaks
bnoordhuis Feb 21, 2018
5b4eeb8
src: remove unnecessary Reset() calls
bnoordhuis Feb 21, 2018
d3eaf77
src: don't touch js object in Http2Session dtor
bnoordhuis Feb 21, 2018
4e9ac10
http2: no stream destroy while its data is on the wire
addaleax Feb 26, 2018
23807d7
net: inline and simplify onSocketEnd
addaleax Feb 6, 2018
64746c7
stream: add no-half-open enforcer only if needed
lpinca Feb 23, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
src: refactor GetPeerCertificate 
PR-URL: #19087
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
  • Loading branch information
@danbev @MylesBorins
danbev authored and MylesBorins committed Mar 6, 2018
commit d6153e9eb524e679f025b2391bcb687460545b94
172 changes: 100 additions & 72 deletions src/node_crypto.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2002,7 +2002,89 @@ static Local<Object> X509ToObject(Environment* env, X509* cert) {
}


// TODO(indutny): Split it into multiple smaller functions
static Local<Object> AddIssuerChainToObject(X509** cert,
Local<Object> object,
STACK_OF(X509)* const peer_certs,
Environment* const env) {
Local<Context> context = env->isolate()->GetCurrentContext();
*cert = sk_X509_delete(peer_certs, 0);
for (;;) {
int i;
for (i = 0; i < sk_X509_num(peer_certs); i++) {
X509* ca = sk_X509_value(peer_certs, i);
if (X509_check_issued(ca, *cert) != X509_V_OK)
continue;

Local<Object> ca_info = X509ToObject(env, ca);
object->Set(context, env->issuercert_string(), ca_info).FromJust();
object = ca_info;

// NOTE: Intentionally freeing cert that is not used anymore.
X509_free(*cert);

// Delete cert and continue aggregating issuers.
*cert = sk_X509_delete(peer_certs, i);
break;
}

// Issuer not found, break out of the loop.
if (i == sk_X509_num(peer_certs))
break;
}
sk_X509_pop_free(peer_certs, X509_free);
return object;
}


static bool CloneSSLCerts(X509** cert,
const STACK_OF(X509)* const ssl_certs,
STACK_OF(X509)** peer_certs) {
*peer_certs = sk_X509_new(nullptr);
bool result = true;
if (*cert != nullptr)
sk_X509_push(*peer_certs, *cert);
for (int i = 0; i < sk_X509_num(ssl_certs); i++) {
*cert = X509_dup(sk_X509_value(ssl_certs, i));
if (*cert == nullptr) {
result = false;
break;
}
if (!sk_X509_push(*peer_certs, *cert)) {
result = false;
break;
}
}
if (!result) {
sk_X509_pop_free(*peer_certs, X509_free);
}
return result;
}


static Local<Object> GetLastIssuedCert(X509** cert,
const SSL* const ssl,
Local<Object> issuer_chain,
Environment* const env) {
Local<Context> context = env->isolate()->GetCurrentContext();
while (X509_check_issued(*cert, *cert) != X509_V_OK) {
X509* ca;
if (SSL_CTX_get_issuer(SSL_get_SSL_CTX(ssl), *cert, &ca) <= 0)
break;

Local<Object> ca_info = X509ToObject(env, ca);
issuer_chain->Set(context, env->issuercert_string(), ca_info).FromJust();
issuer_chain = ca_info;

// NOTE: Intentionally freeing cert that is not used anymore.
X509_free(*cert);

// Delete cert and continue aggregating issuers.
*cert = ca;
}
return issuer_chain;
}


template <class Base>
void SSLWrap<Base>::GetPeerCertificate(
const FunctionCallbackInfo<Value>& args) {
Expand All @@ -2014,97 +2096,43 @@ void SSLWrap<Base>::GetPeerCertificate(
ClearErrorOnReturn clear_error_on_return;

Local<Object> result;
Local<Object> info;
// Used to build the issuer certificate chain.
Local<Object> issuer_chain;

// NOTE: This is because of the odd OpenSSL behavior. On client `cert_chain`
// contains the `peer_certificate`, but on server it doesn't
// contains the `peer_certificate`, but on server it doesn't.
X509* cert = w->is_server() ? SSL_get_peer_certificate(w->ssl_) : nullptr;
STACK_OF(X509)* ssl_certs = SSL_get_peer_cert_chain(w->ssl_);
STACK_OF(X509)* peer_certs = nullptr;
if (cert == nullptr && ssl_certs == nullptr)
if (cert == nullptr && (ssl_certs == nullptr || sk_X509_num(ssl_certs) == 0))
goto done;

if (cert == nullptr && sk_X509_num(ssl_certs) == 0)
goto done;

// Short result requested
// Short result requested.
if (args.Length() < 1 || !args[0]->IsTrue()) {
result = X509ToObject(env,
cert == nullptr ? sk_X509_value(ssl_certs, 0) : cert);
goto done;
}

// Clone `ssl_certs`, because we are going to destruct it
peer_certs = sk_X509_new(nullptr);
if (cert != nullptr)
sk_X509_push(peer_certs, cert);
for (int i = 0; i < sk_X509_num(ssl_certs); i++) {
cert = X509_dup(sk_X509_value(ssl_certs, i));
if (cert == nullptr)
goto done;
if (!sk_X509_push(peer_certs, cert))
goto done;
}

// First and main certificate
cert = sk_X509_value(peer_certs, 0);
result = X509ToObject(env, cert);
info = result;

// Put issuer inside the object
cert = sk_X509_delete(peer_certs, 0);
while (sk_X509_num(peer_certs) > 0) {
int i;
for (i = 0; i < sk_X509_num(peer_certs); i++) {
X509* ca = sk_X509_value(peer_certs, i);
if (X509_check_issued(ca, cert) != X509_V_OK)
continue;

Local<Object> ca_info = X509ToObject(env, ca);
info->Set(context, env->issuercert_string(), ca_info).FromJust();
info = ca_info;

// NOTE: Intentionally freeing cert that is not used anymore
X509_free(cert);

// Delete cert and continue aggregating issuers
cert = sk_X509_delete(peer_certs, i);
break;
}

// Issuer not found, break out of the loop
if (i == sk_X509_num(peer_certs))
break;
}

// Last certificate should be self-signed
while (X509_check_issued(cert, cert) != X509_V_OK) {
X509* ca;
if (SSL_CTX_get_issuer(SSL_get_SSL_CTX(w->ssl_), cert, &ca) <= 0)
break;

Local<Object> ca_info = X509ToObject(env, ca);
info->Set(context, env->issuercert_string(), ca_info).FromJust();
info = ca_info;
if (CloneSSLCerts(&cert, ssl_certs, &peer_certs)) {
// First and main certificate.
cert = sk_X509_value(peer_certs, 0);
result = X509ToObject(env, cert);

// NOTE: Intentionally freeing cert that is not used anymore
X509_free(cert);
issuer_chain = AddIssuerChainToObject(&cert, result, peer_certs, env);
issuer_chain = GetLastIssuedCert(&cert, w->ssl_, issuer_chain, env);
// Last certificate should be self-signed.
if (X509_check_issued(cert, cert) == X509_V_OK)
issuer_chain->Set(env->context(),
env->issuercert_string(),
issuer_chain).FromJust();

// Delete cert and continue aggregating issuers
cert = ca;
CHECK_NE(cert, nullptr);
}

// Self-issued certificate
if (X509_check_issued(cert, cert) == X509_V_OK)
info->Set(context, env->issuercert_string(), info).FromJust();

CHECK_NE(cert, nullptr);

done:
if (cert != nullptr)
X509_free(cert);
if (peer_certs != nullptr)
sk_X509_pop_free(peer_certs, X509_free);
if (result.IsEmpty())
result = Object::New(env->isolate());
args.GetReturnValue().Set(result);
Expand Down